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ABSTRACT 



A method for providing authentication, authorization and 
access control of software object residing in digital set-top 
terminals creates a fingerprint ("signature") for each soft- 
ware object, associates each fingerprint with a service tier, 
encodes each association and creates an association table 
containing the information and downloads the association 
table to the digital set-top terminal. In addition, the method 
utilizes an entitlement management message, sent to each 
set-top terminal, indicating what software objects the set-top 
terminal may utilize, and provides a system routine at the 
digital set- top terminal that is invoked whenever software 
object is about to be utilized. The entitlement management 
message contains the access rights given to a particular 
set-top terminal, which must match the software object's 
access requirements for the software object to be utilized. 
The entitlement management message may also contain 
set-top terminal resource control access rights that a given 
software object may utilize. When the software object 
requires the utilization of a set-top resource, a second 
conditional access routine may be invoked to determine the 
authorization rights for using the resource. Measures to 
protect such means are also described. As such the method 
provides multiple system cable operators (MSO's) with 
additional capabilities to maintain secure control of features 
and applications running on their networks and within the 
associated set-top terminals. 

31 Claims, 4 Drawing Sheets 
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AUTHORIZATION AND ACCESS CONTROL identity of each software object require authentication but 

OF SOFTWARE OBJECT RESIDING IN SET- also > its utilization has to be subject to MSO control via 

TOP TERMINALS authorization permissions along with control of which set- 

top terminal resources a given software object may use. 

. . . it _ , - f,To r. ■• i e These measures complement those of object validation and 
This application claims the benefit of U.S Provisional 5 verification afld ensu ^ thal software ob j ects ^ have flot 

Application No. 60/090,297, filed Jun. 23, 1998. been authenticated are not utilized. To the extent that these 

measures are utilized, the set-top terminal is no longer 

FIELD OF THE INVENTION subject to problems associated with objects that have failed 

„, * , t , i j f to follow the security design rules, or worse yet, those which 

Hie present invention relates generally to a method for 1Q may be contaminat £ d wiul a virus mat is " m&slQi t0 cause 

providing aumorization, authentication and access control of harm t0 the MSO's network and associated set-top termi- 
"execu table code", or, "software object", which includes but nais, 

is not limited to application code, operating systems and In a particular embodiment of the invention, a method for 
associated components r (e.g. dynamic link libraries — providing authorization and access control of software 
DLL's), B10S.€aW%ulai^aW 15 object residing in digital set-top terminals creates a finger- 



^bTp^ffd'-ii^ print (signature) for each software object, associates each 

fingerprint with a service tier, encodes each association and 

BACKGROUND OF THE INVENTION creates an association table containing the information gen- 

, . . - • , / . ^ it erated by the encoding step (note, this table may consist of 

As digital set-top terminals (the General Instrument one or more ^^1^ eritries ). In addition, the method 

DCT5000+, for example), incorporate the capability to 20 sen ds the association table to the digital set-top terminal and 

download different operating systems, DLL's, JVM's also transmits a message indicating what software objects 

(Windows CE included), multiple system cable operators the set-top terminal may utilize, to the digital set-top termi- 

(MSO's) need a mechanism that will allow them to maintain n al. Finally the proposed method provides a system routine 

control of the features and applications that run within these at the digital set-top terminal that is invoked prior to 

set-top terminals. More specifically, MSO J s want the ability 25 commencing download of the object, on ce th e software 

to access control services and associated usage of software obje ct has been do wnl o aded, ^r^op^ o^ll y^h^rieYe r l me g 

objects in set-top terminals. ^fTwa T§! 5g^ Cs^ 

One known attempt to address the authenticity of code ^^t^lSRgp?. The system routine uses the association 

objects for the PC environment is Microsoft's "Authenti- % ble ]° validate the authenticity of the object (authenticate 

code" capability. This product enables software vendors to * J and t0 determine if the software object about to be utilized 

acquire a digital signature for published executable code. f™ated with a corresponding service tier which the 

, \, , & j. . \ . f . - . set-top has been authorized for, if not the software object 

Authenticode proves a digital signature with only one « ^ (of milization) ^ not , f ho ^ vet \ hs 

signer; me code « signed wilb Microsott s private Key s - ftware ^ £ be downloaded 

(or utilized) is 

(which is not published) and is verified with Microsoft s fe^^ with a ^ ict der for which the set „ t has beeD 

public key, which is bundled into the Authenticode verifi- 35 J utnoriz ed, the object download (or utilization) is allowed, 

cation code in the operating system. However, while ft accordance with another aspect of the invention, the 

Authenticode provides digital signature protection for ^ftware object has been verified and validated prior to the 

executable code, it does not provide any means of deter- rfeite'distgps* 

mining access requirements for the executable code for i n accordance with still another aspect of the invention, 

access control purposes (and revenue generation purposes), 40 the transmitted message further indicates which set-top 

and it is applicable only to executable code. terminal resources the software object or the set-top as a 

A second known attempt to address control of Java whole is authorized to utilize, 

applets is "Java Security" which is intended to prevent Yet a further advantage provided by another feature of the 

applets from inspecting or changing files on a client system present invention is that if the software object about to be 

and from using network connections to circumvent file 45 invoked contains the correct fingerprint and authorization 

protections or data privacy measures. However, as is the ri S hts match me authorization requirements associated with 

case with Authenticode, Java Security does not offer authen- the software object, the method further determines if the use 

tication of any software object unless it is Java based, nor of f^P terminal resources has been authorized. In one 

does it offer the association with access requirements for embodiment, if a determination is made that the use of a 

> i i 50 set-top terminal resource has been requested, the method 

access control and revenue generation purposes. n iL K . . i 

** further provides a second system routine at the digital 

Although each of the products described above attempt to set-top terminal, and the second system routine uses the 

address protection and control of software object in a PC transmitted messages to determine if the software object 

environment against unauthorized utilization by a given ma y utilize the requested set-top terminal resource. In the 

set-top terminal, they do not fully address the issues asso- 55 case where the resource is authorized as in Impulse - 

ciated with authorization, authentication and access control, authorizable resource (by associating it with an impulse tier 

and thus, do not provide an optimal solution that meets MSO in the message), the user is allowed to request an impulse 

requirements. (immediate) authorization of this resource . This prevents the 

subscriber (user) from having to call the MSO's Customer 

SUMMARY OF THE INVENTION 6Q Service Center for such authorization. 

Ac #™ tp^inaic . r , n ,. nni1( ; n „ „„„:™,„„.„. f,, r A further advantageous feature of the invention is that if 

Asset-top terminals assume a computing environment tor . - . *» t . , .... , , i A . . 

. . r t , ..... 5 f , L1 - the software object about to be utilized does not contain the 

entertainment purposes by utilizing downloadable software t ^ J . 4 ~, a t . t , 

, . , r A - . v. . t Tr_^i correct fingerprint, the software object is not executed. 

objects such as operating systems, libraries, Java virtual & r 

Machines, applications, applets, etc., it becomes extremely BRIEF DESCRIPTION OF THE DRAWINGS 

critical to protect and control the software object to guard 65 FIG. 1 is a simplified block diagram illustrating the 

against unauthorized utilization by a given set-top terminal. logical paths of a cable system relevant to the description of 

In accordance with the proposed concept, not only does the the invention. 
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FIG. 2 is a simplified flow chart illustrating the steps Referring to the flow chart of FIG. 2, in step 10, a 

performed by a multiple system cable operator (MSO) to "fingerprint"; i.e., a digital signature, is created for each 

provide authorization and access control of software object software object (e.g., applications, OS's, DLL's, JVM's, 

in set-top terminals. Java applications and applets, etc.). The fingerprint 

FIG. 3 is a simplified flowchart illustrating the steps 5 (signature) of the software object serves as a unique Entitle- 

performed by a Conditional Access (CA) routine, at a set-top ment Contro1 Record ( ECR )' For exam P le > each 

terminal, upon invoking software object. ob J ect that the MS0 wants 10 P iace in lhis category, i.e., 

A . . .r, i_ _* -ii * *■ 4U jjv i under access control, is associated with a "fingerprint". Note 

FIG. 4 is a simplified flowchart illustrating the additional t . . 4 . - . t . . . , , j * i * L . 

r i . jo j •> • f a /ox\ that the fingerpnnt might simply be a seed for a key that 

steps performed by a second Conditional Access (CA) « ♦ j u f •* uui 

. . i l j * * r^u ■ m could be encrypted by known means, or, it could be a value 

routine in another embodiment of the invention, *u . • j • i? • 1 i .L u 

that is derived from an initial value through processing it as 

DETAILED DESCRIPTION OF THE an image or otherwise (i.e., the fingerprint may include 

INVENTION object size, checksum, etc.). 

Multiple system cable operators need to extend access ,n P?** «» ^P™^ f gU * 1 signature) may be 

control capabilities, i.e., to control the ability to access and 15 f™ 1 * 1 ^*^™^ 0 ^} authenUcation/sagnature 

use software objects in set-top terminals capable of down- device (OASD). ms is performed after the software object 

loading such objects and later utilizing these objects if their 1S , ^^V"?. Vall f date 1 d . ( K elther thr ° u f h 'fP"* 011 . te f °f 

download and use is authorized and the objects pass authen- d< r Ul if of ^f 6 the ° f th ' S 

tication checks application). The intent of the software verification and 

" , , . t . f . , 20 validation is to ensure that the design and implementation of 

Access control of a software object, m accordance with ^ object follows a re ^ pecified set of mles md ite . 

one aspect of the wvention, consists of three parts. The first fflents for xcmit s . ^ be done 

defines the access requirements for a particular service (and under contrac , tQ me MSQ (detafls rf wMch m ^ outside 

associated obiects), and the second defines the authorization etU - i- *■ \ tu ■ » u u ^ 

. f _ J . J \ . , f the scope of this application). The signature may be based on 

rights tor a particular set-top terminal to access these ser- „ s„ t w u ™„ , ~ ♦ u *Aer\ -a \ u- ♦ 

P , ^ v . , , . £ „ . . , . , , . , 25 a unique (which may or may not be MSO-specmc) obiect 

vices (and associated obiects). lne third provides additional A t i . ; u- r>r»^ c *u u- * j 

. . - • 7 , , , ^ • , ldenufier and a cryptographic CRC of the obiect and serves 

identification information to enable the set-top terminal to f „ f .i. * ■ • * .u & l- . 

. r „ as a torm ol certification that is unique to the so it ware obiect 

authenticate the objects prior to their utilization The access itseJf (several coaventional si ; techniques may be 

requirements may be considered as the lock and the autho- , d ^ details of which however are outside the 

nzation rights may be considered as the key. When the M of mis lication) . jf xyelal objecls are 

authorization nghts match the access rights (and no parental ■ # « • u ™ u • ♦ !i *u 

, . . ,x . • f. ,\ t associated with a service, each may be associated with a 

control is required), the set-top terminal is allowed to access g . ^ ^ , hen m Qy ^ n &[ e bfi for 

the service (and associated objects). ^ ^ ^ whenever autnentication of ^ higher level 

There are two types of messages that facilitate the access association is desired 

control function. First, the Entitlement Control Message 3S 0,^^ to ste p20 of FIG. 2, the fingerprint of each 

^CM) delivers the Entitlement Control Structure (ECS) soflware object jg ^ associa(ed ^ a ^ ^ Both 

(explained in further detail below) which contains the satdlite and cabk access comrol tems u(ilize ^ m 

EntiUement Control Record (ECR) (akc, explained in detad of <. tiering ... For ludiovisual serviceS; a tier fc a logical 

below) for the associated objects and hsts the entitlement ing of or services (the degenerale case being 

information required for program viewing or object(s) use. ^ a single Qr service) Jhe grouping is created to 

ne second message, me untiuement Management Message fad]itate control of tne 

user's (subscriber's) access to that 

(EMM) delivers the entitlement purchased by or granted to of based the MSQ , S subscriber file 

the consumer. Tne functions of each of these messages are ( . which ^ subscribed to by a ^ consume r). 

described in greater detail below. The accegs rightg of ^ ^ wou]d demand a gfeat dea] of 

The following provides an outlme of how software 45 memory in the set-top terminal if the access rights were 

objects are authorized to run (post authentication). All stored as separate flags for each and every program or object 

software objects that are not authorized (and authenticated) available. The tiers are typically represented as single binary 

in this manner will not be usable by the set-top terminal. In digits (bits) that can be defined and redefined dynamically, 

the event that all preventive measures intended to keep since each tier (or group) is represented as a single bit and 

unauthorized software objects from residing within the 50 the tiers are defined to be relevant to the service offering at 

set-top terminal fail, this approach aids in detecting such a g i ven pomt m t; me) they offer the most compac t repre- 

applications and in preventing their utilization or execution. sentation possible for the user's access rights (compactness 

In the digital set-top terminal, the utilization of all soft- is very important, since the access rights must be kept in 

ware objects (including applications associated with a given secure memory, which is limited, and must be transmitted 

service) must be authorized by the access control system. 55 frequently, and as such bandwidth requirements are 

The software object is specified to consist of downloadable minimized). One or more objects may be associated with a 

code or data that may be utilized in the set-top terminal at given service/application and assigned the corresponding 

either the subscriber's or the MSO's will. tiers. Additionally, while such authorization rights may be 

First, as illustrated in the block diagram of FIG. 1, an stored on a server at the other end of the network (as opposed 

Object Authentication Signature Device 300 (OASD) uti- 60 to at the set- top terminal), where a set-top terminal may 

lizes either a National Access Controller 310 (NAC) (in the query its rights by communicating with the server in real 

national control scenario) or a Local Access Controller 320 time, it is typically advantageous to distribute this informa- 

(LAC) (in the local control scenario) to interact with a tion within the set- top terminals for security, robustness, 

number of set-top terminals 350a, 3506, etc. The details of performance, as well as minimizing single point of failure 

the interactions of each of these devices are described in 65 effects. Once the event (or "program") terminates, or once 

detail below in connection with the detailed description of the object(s) is no longer offered as part of a particular 

the invention. service, the tier definition will be updated to reflect this 
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change. The authorization tiers for which the subscriber has respectively, and is downloaded to the digital set-top termi- 

been authorized are conveyed in a corresponding Entitle- nal (either in its entirety, or one entry at a time in an 

ment Management Message (EMM) (described in further appropriate message, when downloading). Whenever the 

detail below in the description of FIG. 1, step 50). Downloader downloads protected software objects it pro- 

In a preferred embodiment of the invention, there are two s vides the digital set-top terminal with the secret "software 

t y pesoftiers,thenrst,aSubscri P tiontierwhichisassociated object fingerpnnt to service tier association (ECS), which 

•T, . z . j- u- . \ .u ♦ is preferably encrypted by known means before transmis- 

with a service (and corresponding objects) that continues ^ ^ tLnlZ* downloads the software object in a 

over a duration of time and which is purchased ahead of feshjon wfaile ^ £CS k ^ assodated ECM 's 

actual use. The second, an Impulse Pay Per Use tier (IPPU, be seQt iad dentl It wiu be appreciated by those 

analogous to the Impulse Pay Per View for video 10 ^ ^ ^ ^ ^ ind dence ides an addi . 

programming), allows for an impulse purchase of an object Uonal ^ measun . 

or set oi obiects associated with a given service/application . . . . ( _ , 

, . J j . , , ... T , .„ , Applicants note that in an alternative embodiment or the 

and may have a time duration associated with it. It will be . ^\ . c Ai . A . , .... ™„ 

/ , . i -11 j • *u *■ *i_ t ,i invention, it authorization is not required, the ECo may then 

appreciated by those skilled in the art that other usages, „. A . * . , - A . _™ ? ' - * 

rr . . J t i i _j . ,.° „ effectively consist of the ECR only (i.e., step 20 of FIG. 2 

combination or conditional, can be based on these two tiers. 15 . ' ,s ™ • \ i i- 

_ r . . ^ T ^, „ is not performed). Ine EC5> in such an embodiment is 

Referring once again to step 20 in FIG. 2, more ^ backed onto ^ d0Wn i O aded object. The set-top ter- 

specincally.theflnge^nnttosemcetiera^ociationmay be minal examines ^ ECS tQ form ^ authentication 

■signed by the MSG is access controller (Access ControUer check ^ s download &Ilctioll down i oa ds the first N 

(AC) for National Control or Digital Access ControUer b of , he ^ (as indicated b the header informatioa 

(DAC) for local control) via the addition of a CA 20 acc an ^ the down i oadc d object) and ignores the trail- 

(conditional access) subtending signature functionality spe- ^ b tha( ^ thc Ecs Howcv6tj ^ fcrred 

cific to objects associated with MSO s network. This func- embodiment descri bed above is preferable to this embodi- 

tion can be facilitated by OASD when it is acting as a ment for tWQ reasons . ^ , he u of ^ ECS tQ ^ 

subtending device to the MSO s AC or the DAC As objec , rcm0V6S a desirable m6 and second 

previously mentioned, OASD functionality may be embod- * this embod i men t introduces inconsistent processing between 
led in an independent device (software and I hardware)^ which an £CS which contains onl thc ECR and tha( whicQ 
in turn would communicate with the AC or the DAC to ^ £CR and the S6rvic6 ^ association ^ 

obtain the access requirement assignments (corresponding preferred ernbo diment however does not restrict how the 

tiers for that object) ^ £CS may be ^^y^ nor does it restrict the Ecs to the 
The additional MSO specific signature takes the signature type 0 f message that specifies it (EMM or some other control 
of a previously signed object (i.e., the fingerprint or "digital message). 

signature" generated by the OASD) and adds to it a unique Again returning to the description of step 40 of FIG. 2, the 
object identifier (if an MSO-specific object identifier is Down i oader may be part of the AC or the DAC since it can 
required). It also adds any one or more entitlement tier ■bits, be vi6wed as a software task> or a i tcm atively, it can be 
which define the access requirements associated with the te from , he DAC> Le>> a softwarc task arming on its 

corresponding software object, and an envelope signature own jjw platform 

for the entire structure .referred to hereafter as the entitle- ^ ^ ^ AQ qt ^ DAC are RW and 

ment control s^ucture (ECS). Tins unique and secret encod- gw devices) yk meter setti from \ hQ binin stem 

mg of the ECS is shown in step 30. ^ and ^ ^ ^ customer profile ^ lhen contro]s ^ ^ 
The ECS may contain the access requirements for the term inal access to a specific service and associated object or 
object and associated resources or it may be partitioned into set of ob j ects by using ^ previously mentioned Entitlement 
two ECS'S, one for the access requirements for the object Management Messages (EMM's) specific to that set-top 
and another for the resources. The latter approach is typi- terminal, mesej n^ges ^als^ 

cally a more appropriate approach if the resource authori- 45 terminal is albwed t0 utilize that software object and may 

zation is independent of a given object and is being per- also specify which tenninal resources (c ^ commu . CoW n 7 

formed on a set-top wide basis. However, either approach nication ports? printer port? keyboard> etc .) the object is 

may be utilized (i.e., a combined ECS or two separate ^6^d^^(^^^^b^le^l^trorirdesired)y 

ECS's) and has no impact on how the authorization steps are Additionally, the AC or the DACn^aTielcrt^ 

performed. 5Q j^p^c authorization tier (and convey the setting via the 

The cost and free-use period, along with global set-top same message) to facilitate immediate authorization of the 
terminal resource restrictions, for example, may be assigned requested resource when the subscriber explicitly requests 
by this device as specified by the AC or the DAC (which in that the resource be authorized. In the case where a resource 
turn may be specified via the Billing System interface). j s authorized as in Impulse-authorizable resource (by asso- 

These parameters are also conveyed as part of the ECS 55 dating it with an impulse tier in the message), the user may 
within the ECM. request an impulse (i.e., immediate) authorization of this 

The functionality of the OASD and the MSO's signing resource, thereby preventing the subscriber (user) from 
and creation of the ECS (steps 10-30) may be combined into needing to call the MSO for such authorization, 
a single device, subtending to the AC or the DAC, as the Finally, in step 50, The AC or the DAC sends the EMMs 

preferred embodiment since it is the simpler case. Either so to each and every set-top terminal to enable it to download 
way, the physical product partitioning shouldn't alter the and utilize the object(s) (more specifically, when resource 
functional steps that need to be performed (it may optimize control is desired for a single object globally across all 
these steps however). set-tops, the permission list for the resource control may 

Continuing to step 40 of FIG. 2, at the MSO, the collec- reside in the ECS; otherwise the permissions (access rights) 

tion of unique ECS's form an association table, that is made 65 are conveyed to each set-top individually in an EMM). The 
available to a national or local download function Access Controller (or DAC) then sends the entitlement to 
(Downloader) associated with the AC or the DAC, the set-top terminal that is authorized to receive this service 
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and associated objects (again, these entitlements are software object is downloaded (step 130) and as shown in 

assigned in the previously described EMM's). step 140, the Conditional Access (CA) routine determines if 

A system routine is created and provided in the set-top the set-top terminal is authorized to use/launch the software 

terminal, and is invoked whenever the set-top terminal is to ob j ect - Based on ^ determination, the software object may 

check the authorization rights and authenticity of the soft- 5 or may not be utilized. All unauthorized software objects 

ware objects associated with the requested service. This wil1 not have a corresponding tier association. The encoded 

system routine may be part of the core code (BIOS) in the "fingerprint of the software object to tier value" association 

set-top terminal. It may also be provided within the operat- (ECS) of the software object (or "application" in this 

ing system (OS), or middleware. When downloading the example) is known only to the MSO and by definition is 

operating system, or the JVM for example, the resident io unique to each software object and is protected, 

routine is invoked to check authorization rights prior to Accordingly, if a determination is made in step 140 that the 

download and if so authenticate these objects post down- set-top terminal has not been authorized to use/launch the 

Load, A second authorization stage may also be present (for software object, the process continues to step 140, where the 

some objects) to check if utilization/launch of these objects software object is not downloaded (or utilized). If the tier 

is allowed. Once the operating system is loaded, any sub- 15 corresponding to the software object has been authorized 

sequent object utilization that involves the operating system however, the process continues to step 150. 

or the JVM invokes the equivalent authorization and authen- Continuing to step 150, the CA routine, again with the 

ticatioa routine in the OS. assistance of the secure processor, checks to see if the 

More specifically, the set-top terminal authenticates and software object has the corresponding fingerprint associa- 
authorizes a downloaded object using the EMM's and 20 tion. Depending on the result, the software object may or 
ECM's associated with a given set-top terminal and object ma y not be utilized. For example, all unauthorized software 
respectively. The set-top may check the authorization rights objects will not have a corresponding fingerprint (since an 
against the authorization requirements of the software object unauthorized software object cannot "guess" the corre- 
prior to downloading the object, upon downloading the sponding ECR value). In that case, the process continues to 
object, or whenever the object is about to be utilized. 25 step 1 60 > where the software object is not used. The pro- 
Subsequent authorization checks are optional. FIG. 3 is a tected fingerprint of the software object is known only to the 
flowchart illustrating the steps performed at a set-top termi- MS0 and bv definition is unique to each software object. If 
nal upon invoking software object. tn& software object has the corresponding fingerprint asso- 

mSS^^BSmE^m^T^tr^S^^? m ciati0D however > the P rocess continues to step 170, where 
in step 110, the BIOS, operating systenT^oTthe Java 30 the set ' t0 P te ™mal authorizes and authenticates the down- 
Virtual Machine (JVM), when requiring the download or the loaded ob J ect - 

use of a software object, call(s) the set-top CA routine for an It will be appreciated by those skilled in the art that each 

authentication and authorization check. The use or launch of of the authorization steps illustrated in steps 140 and 200 of 

the object is allowed only if the check passes. The CA check FIG. 3 are optional and are not necessarily performed. In 

is facilitated by the secure processor. In addition, a lifetime addition, although the authorization check performed in step 

feature may be implemented, wherein the secure processor 200 continues to step 210 and then to the authentication of 

records the object lifetime and checks it for expiration, step 150, additional subsequent checks could be performed 

starting for example with first use (i.e., the first time the by the CA routine and are well within the scope of the 

secure processor was engaged in authenticating and autho- invention. 

rizing the object). When expired, it may interrupt the oper- <Ip^ddiO.Qn > J ii0^secondj ^rj^iment-of the-invention3if^ 

ating system or JVM to disable/delete the object(s). If any of the software object requires the utilization oFTgiven set-top 

the checks fail, the set-top terminal may log the results to terminal resource, a similar checking process to determine if 

rep ortjb ack-to_the _ access controller. A gain^this-feature is a the software object has permission to use the required 

combiriatibn~of-software_and-hardware-ninctions. ^ resources may occur. These permissions (authorization 

More specifically, returning to FIG. 3, in step 120 a rights) may be associated with a given object for all set- top 

determination is made as to whether or not there is a need to terminals or may be associated with a given object for a 

check authorization rights. If not, as shown in FIG. 3, in step specific set-top terminal. The authorization rights to use the 

130, the software object may be downloaded to the set-top set-top terminal resources are conveyed in a similar manner, 

terminal prior to any authorization. However, if so, in step 50 via EMM's. 

200 the Conditional Access (CA) routine, before download- As noted above, the authorization rights may also be 

ing the object, may determine if the set-top terminal is designated as Impulse tiers to indicate that the subscriber 

authorized to download the object. This step is optional and may request the immediate authorization of the Impulse 

may depend upon the nature of the software object (i.e., authorizable resource. The set-top in turn checks the request 

some objects are necessary and may not require this prior S5 in a similar manner and if the Impulse tier is set, it registers 

authorization). If the step is performed, and if a determina- the authorization as having taken place (for possible subse- 

tion is made that the set- top terminal is authorized to quent billing purposes). 

download the object, the process continues to step 210. If Each of these options is shown in FIG. 4 where in step 

however, a determination is made in step 200 that the set-top 122, a determination is made as to whether a set-top terminal 

terminal is not authorized to download the object, the 60 resource is requested by the software object (if software 

process continues to step 150, where the object is not object has requested resource utilization via the OS). If step 

utilized. 122 determines that a valid set-top terminal resource has not 

In Step 210 the software object is downloaded to the been requested, no further action is taken, 

set-top terminal and the process continues to step 150 for If however step 122 determines that a valid set-top 

authentication, described in further detail below. 65 terminal resource has been requested, the process continues 

Alternatively, again if a determination was made in step to step 124 in which the OS invokes the driver associated 

120 that there was no need to check authorization rights, the with the requested set-top terminal resource. Continuing to 
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step 126, the associated driver (upon the first use only of the tions and variations of the present invention are covered by 

resource) invokes a "second Conditional Access routine" the above teachings and within the purview of the appended 

(which may be part of BIOS or the operating system) to claims without departing from the spirit and intended scope 

determine if the requesting software object is allowed to use of the invention, 

this resource. More specifically, the driver routine calls the 5 What is claimed is: 

second access control routine which, in conjunction with the 1. A method for providing authorization and access con- 
secure processor, determines whether the software object trol of software object residing in digital set- top terminals, 
may utilize the requested resource (i.e., determines if it is comprising the steps of: 

authorized for such use). The resource usage authorization creating a fingerprint for each software object; 

rights are stored in secure memory as well. Specifically, in 1Q associating each fingerprint with a service tier; 

step 128 it is determined if the EMM provided permission to encoding each association made in said associating step; 

use the requested resource. If the EMM did not provide such Cfeating an ^sociMion table containing the information 

permission, the process disallows the use of the requested generated in said encoding step; 

resource (step 130) (i.e., the control goes back to the driver downloading the association table to the digital set-top 

and then the OS with a negative result, indicating that use of ^ terminal- 

the requested resource is not allowed). However, if the 1 transmittiri g a message, providing an indication of what 

EMM provided permission, the utilization of the requested software the set-top terminal may utilize, to the digital 

set-top resource is allowed m step 132. set-top terminal; and 

In addition, in the case where the permissions are set as providing a system routine at the digital set-top terminal 

Impulse tiers (requiring an explicit request from the user for 2Q that is invoked whenever software object has been 

the authorization to take effect), the routine grants the downloaded or is about to be utilized, 

authorization and registers the Impulse request within the wherein the system routine uses the association table to 

secure processor (for possible subsequen t billin g purposes determine if the software object about to be invoked 

via ^agrep .ortjb^&fm^n^ismlto has been authorized for the set-top terminal. 

In a still further aspect of a preferred embodiment of the ^ 2. The method of claim 1, further wherein the software 

invention, the driver associated with a requested resource object has been verified and validated prior to the recited 

may invoke the second CA routine only upon the first use of steps. 

the resource by the software object, wherein subsequent 3. The method of claim 1, further comprising the steps of: 

invocations of the second conditional access routine are recording a lifetime of the software object; and 

optional. 30 starting with a first use, checking the lifetime of the 

Finally, it will be appreciated by those skilled in the art software object for expiration, 

that various methods may be implemented in order to detect 4. The method of claim 3, wherein if a determination is 

any tampering to circumvent the processes described above. made in said checking step that the software object fife time 

These methods may include periodic background checks of has expired, further comprising the step of disabling the 

the software object memory, fingerprint (which may include 35 software object. 

memory size, checksum, etc.), including the set-top terminal 5. The method of claim 1, wherein if a plurality of 

core BIOS, Operating System, etc., against p re-calculated software objects are associated with a service, ftirther com- 

and protected values for each. Specifically, for example, the prising the step of: 

set-top terminal's secure processor in conjunction with the creating a fingerprint for the plurality of software objects 

user processor can perform a memory checksum on certain 40 as a group. 

critical components of the software. This may be done 6. The method of claim 1, wherein the transmitted mes- 

whenever the user processor and the secure processor have sage further indicates which set-top terminal resources the 

sufficient idle time to perform this function in order to software object is authorized to utilize, 

minimize adverse performance effects on other functions. It 7. The method of claim 6, wherein an impulse authori- 

may also be invoked at the operator's request via a received 45 zation service tier may be assigned to facilitate immediate 

command message (from the MSO's controller), in the event authorization of a resource. 

that the MSO wants to verify the integrity of the software as 8. The method of claim 7, wherein the impulse authori- 

part of a trouble shooting or monitoring process. The secure zation service tier has a time duration associated with it. 

processor has the cryptographic checksum of the software 9. The method of claim 1, further wherein the transmitted 

component to be checked. The user processor, under the 50 message in said transmitting step provides the indication by 

operating system's control, passes the memory segments setting the corresponding service tiers, 

comprising this object to the secure processor. 10. The method of claim 1, further wherein if the service 

If the secure processor determines that the check has tier has not been authorized, the software object is not 

failed, it may embody the status in an encrypted format, executed. 

which is incorporated in a message that is sent to the MSO's 55 11. The method of claim 1, further wherein if the service 

controller. The reliance on the user processor for this pur- tier has been authorized, the system routine checks deter- 

pose may be minimized to ensure that these operations can mines if the software object about to be utilized passes a 

not be intercepted. In addition, in the event that tampering or corresponding fingerprint check. 

a transmission error (in either case, a "deviation") is 12. The method of claim 11, wherein if the software object 

detected, additional indications may be provided, for 60 about to be utilized passes the corresponding fingerprint 

example, flagging the set-top terminaFs unique address to check, further comprising the step of: 

the MSO/headend to shut off all or some of the subscriber's determining if the use of a set-top terminal resource has 

services, notifying a local or national Access Control Center been requested. 

of the event, the time, the unique set -top terminal address, 13. The method of claim 12, wherein if a determination is 

geographic location, etc. 65 made in said determining step that the use of a set-top 

Although various embodiments are specifically illustrated terminal resource has been requested, further comprising the 

and described herein, it will be appreciated that modifica- step of: 
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providing a second system routine at the digital set- top 
terminal. 

14. The method of claim 12, wherein if a determination is 
made in said determining step that the use of a set-top 
terminal resource has been requested, further comprising the 
step of: 

determining if it is the first time that use of the set-top 
terminal resource by the software object has been 
requested, 

wherein if it is the first time that use of the resource has 
been requested, providing a second system routine at 
the digital set- top terminal. 

15. The method of claim 13, wherein the second system 
routine uses the transmitted messages to determine if the 
software object may utilize the requested set-top terminal 
resource. 

16. The method of claim 11, further wherein if the 
software object about to be utilized does not have a corre- 
sponding fingerprint, the software object is not executed. 

17. The method of claim 1, wherein the fingerprint of the 
software object residing in the set-top terminal is periodi- 
cally compared to a reference value and an indication of a 
deviation is provided. 

18. A method for providing authorization and access 
control of applications executing in digital set-top terminals, 
comprising the steps of: 

associating each application with a service tier; 
encoding each association made in said associating step; 
creating an association table containing the information 

generated in said encoding step; 
downloading the association table to the digital set-top 

terminal; and 

providing a system routine at the digital set-top terminal 
that is invoked whenever an application is invoked, 
wherein the system routine uses the application asso- 
ciation or the association table to determine if an 
invoked application is associated with a service tier, 
and 

wherein if the invoked application is not associated 
with a service tier, the application is not utilized. 

19. The method of claim 18, further wherein if an invoked 
application is associated with a service tier, the system 
routine further determines if the tier corresponding to the 
service/application has been authorized. 

20. The method of claim 18, wherein when set-top ter- 
minal resource control is desired for a single application 
across all set-tops, further comprising the step of: 

providing an indication of the set-top terminal resource 
control in the encoded associations, wherein a second 
system routine uses the association table to determine 
if the software object may utilize the requested set-top 
terminal resource. 

21. The method of claim 18 wherein set-top terminal 
resource control indications are conveyed to each set- top 
individually. 

22. The method of claim 18, wherein the software 
memory size of critical software components of the digital 
set-top terminal are periodically compared to a reference 
value and an indication of a deviation is provided. 

23. The method of claim 18, wherein the software size of 
the operating system of the digital set-top terminal is peri- 
odically compared to a reference value and an indication of 
a deviation is provided. 
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24. The method of claim 18, wherein the software object 
memory size of the application code image in the digital 
set-top terminal is periodically compared to a reference 
value and an indication of a deviation is provided. 

25. The method of claim 18, wherein the checksum of 
critical software components of the digital set-top terminal 
is periodically compared to a reference value and an indi- 
cation of a deviation is provided. 

26. The method of claim 18, wherein the checksum of the 
operating system of the digital set-top terminal is periodi- 
cally compared to a reference value and an indication of a 
deviation is provided. 

27. The method of claim 18, wherein the checksum of the 
software object in the digital set-top terminal is periodically 
compared to a reference value and an indication of a 
deviation is provided. 

28. A system for providing authorization and access 
control of software object residing in digital set-top 

20 terminals, comprising: 

a multiple system cable operator site comprising: 

means for creating a fingerprint for each software 
object; 

means for assigning each fingerprint to a service tier; 
encoding means for encoding each association made in 

said associating step; 
means for creating an association table/message con- 
taining the information generated in said encoding 
step; 

means for downloading the association table to the 

digital set-top terminal; 
means for transmitting a message, providing an indi- 
cation of what software the set-top terminal may 
utilize, to the digital set-top terminal; and 
a digital set- top terminal comprising: 

a system routine that is invoked whenever software 
object has been downloaded or is about to be 
utilized, 

wherein the system routine uses the association table/ 
message to determine if the software object about to 
be invoked has been authorized for the set-top ter- 
minal. 

29. The system of claim 28, wherein said means for 
45 creating a fingerprint comprises an independent software/ 

HW object authentication.signature device (OASD). 

30. The system of claim 29, wherein the OASD comprises 
said means for assigning each fingerprint to a service tier. 

31. A digital set-top terminal, operating together with a 
50 multiple system cable operator system to provide authori- 
zation and access control of software object residing in the 
digital set-top terminal, the set-top terminal comprising: 

a system routine that is invoked whenever software object 
has been downloaded or is about to be utilized, 
wherein the system routine uses an association table/ 
message, created at the MSO and downloaded to the 
set-top terminal, to determine if the software object 
about to be invoked has been authorized for the 
set-top terminal, 
and further wherein the association table/message com- 
prises an encoded fingerprint to service tier associa- 
tion corresponding to the software object. 
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